[PATCH 2/2] qemu: Check for existence of provided *_tls_x509_cert_dir

John Ferlan <jferlan@xxxxxxxxxx> · Wed, 28 Jun 2017 15:30:28 -0400

https://bugzilla.redhat.com/show_bug.cgi?id=1458630

Introduce virQEMUDriverConfigSetCertDir which will handle reading the
qemu.conf config file specific setting for default, vnc, spice, chardev,
and migrate. Then if a setting was provided, validating the existence of
the directory and overwriting the default set by virQEMUDriverConfigNew.

Also update the qemu.conf description for default to indicate the consequences
if the default directory does not exist.

Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx>
---
 src/qemu/qemu.conf   |  9 ++++++++-
 src/qemu/qemu_conf.c | 42 ++++++++++++++++++++++++++++++++++--------
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index e6c0832..737fa46 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -3,7 +3,7 @@
 # defaults are used.
 
 # Use of TLS requires that x509 certificates be issued. The default is
-# to keep them in /etc/pki/qemu. This directory must contain
+# to keep them in /etc/pki/qemu. This directory must exist and contain:
 #
 #  ca-cert.pem - the CA master certificate
 #  server-cert.pem - the server certificate signed with ca-cert.pem
@@ -13,6 +13,13 @@
 #
 #  dh-params.pem - the DH params configuration file
 #
+# If the directory does not exist or does not contain the necessary files,
+# QEMU domains will fail to start if they are configured to use TLS.
+#
+# In order to overwrite the default directory alter the following. If the
+# provided directory does not exist, then the setting reverts back to the
+# default /etc/pki/qemu.
+#
 #default_tls_x509_cert_dir = "/etc/pki/qemu"
 
 
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 94e00b2..a52349f 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -440,6 +440,32 @@ virQEMUDriverConfigHugeTLBFSInit(virHugeTLBFSPtr hugetlbfs,
 }
 
 
+static int
+virQEMUDriverConfigSetCertDir(virConfPtr conf,
+                              const char *setting,
+                              char **value)
+{
+    char *tlsCertDir = NULL;
+
+    if (virConfGetValueString(conf, setting, &tlsCertDir) < 0)
+        return -1;
+
+    if (!tlsCertDir)
+        return 0;
+
+    if (!virFileExists(tlsCertDir)) {
+        VIR_INFO("%s, directory '%s' does not exist, retain default",
+                 setting, tlsCertDir);
+        VIR_FREE(tlsCertDir);
+    } else {
+        VIR_FREE(*value);
+        VIR_STEAL_PTR(*value, tlsCertDir);
+    }
+
+    return 0;
+}
+
+
 int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
                                 const char *filename,
                                 bool privileged)
@@ -467,8 +493,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     if (!(conf = virConfReadFile(filename, 0)))
         goto cleanup;
 
-    if (virConfGetValueString(conf, "default_tls_x509_cert_dir",
-                              &cfg->defaultTLSx509certdir) < 0)
+    if (virQEMUDriverConfigSetCertDir(conf, "default_tls_x509_cert_dir",
+                                      &cfg->defaultTLSx509certdir) < 0)
         goto cleanup;
     if (virConfGetValueBool(conf, "default_tls_x509_verify",
                             &cfg->defaultTLSx509verify) < 0)
@@ -487,8 +513,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
         goto cleanup;
     if (rv == 0)
         cfg->vncTLSx509verify = cfg->defaultTLSx509verify;
-    if (virConfGetValueString(conf, "vnc_tls_x509_cert_dir",
-                              &cfg->vncTLSx509certdir) < 0)
+    if (virQEMUDriverConfigSetCertDir(conf, "vnc_tls_x509_cert_dir",
+                                      &cfg->vncTLSx509certdir) < 0)
         goto cleanup;
     if (virConfGetValueString(conf, "vnc_listen", &cfg->vncListen) < 0)
         goto cleanup;
@@ -532,8 +558,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
 
     if (virConfGetValueBool(conf, "spice_tls", &cfg->spiceTLS) < 0)
         goto cleanup;
-    if (virConfGetValueString(conf, "spice_tls_x509_cert_dir",
-                              &cfg->spiceTLSx509certdir) < 0)
+    if (virQEMUDriverConfigSetCertDir(conf, "spice_tls_x509_cert_dir",
+                                      &cfg->spiceTLSx509certdir) < 0)
         goto cleanup;
     if (virConfGetValueBool(conf, "spice_sasl", &cfg->spiceSASL) < 0)
         goto cleanup;
@@ -554,8 +580,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
             goto cleanup;                                                   \
         if (rv == 0)                                                        \
             cfg->val## TLSx509verify = cfg->defaultTLSx509verify;           \
-        if (virConfGetValueString(conf, #val "_tls_x509_cert_dir",          \
-                                  &cfg->val## TLSx509certdir) < 0)          \
+        if (virQEMUDriverConfigSetCertDir(conf, #val "_tls_x509_cert_dir",  \
+                                          &cfg->val## TLSx509certdir) < 0)  \
             goto cleanup;                                                   \
         if (virConfGetValueString(conf,                                     \
                                   #val "_tls_x509_secret_uuid",             \
-- 
2.9.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list






